This is the final feature release of runc before 1.0, rather than 1.0 itself. The reason for tihs is that, during the preparations for this release (which was originally meant to be 1.0) it was brought up that there were several spec-compliance problems. One of these was related to hook ordering, and upon trying to fix them it turns out that many users (notably the NVIDIA OCI hooks) make use of our incorrect hook ordering. Many of the proposed solutions to this problem all require a lot of time and co-ordination, and thus would stall this release indefinitely.

So, the idea is to have an intermediate release which will mark a freeze-on-everything-except-spec-compliance-bugs. No other changes will be included pre-1.0 (aside from security patches obviously).

Several aspects of rootless mode are now used inside user namespaces. This is necessary for a bunch of useful things (such as running Docker inside an user namespace), but did cause some breakages. We think they've all been fixed -- but if not please submit an issue! #1688#1808#1816#1862

Improve kernel.{domain,host}name sysctl handling, to allow the NIS domainname to be set from Docker or other callers without an OCI spec change. #1827

Add documentation for one of the more confusion parts of runc, how terminals are handled (including an explanation of --console-socket). All the gory details and recommendations are available in docs/terminals.md. #1730

Allow /proc to be bind-mounted over (useful for rootless containers). #1832

Ignore ENOSYS for keyctl(2) operations. This is necessary to get Docker working with LXC under the default seccomp profile (which is what ChromeOS uses). #1893

Allow building with completely-disabled kmemcg support, to get around problems with broken kernels (RHEL 7.5 can oops with kmemcg accounting enabled). #1921#1922#1930

Add support for cgroup namespaces, which in turn fixes a few other issues we encountered with the previous code (which could be moving us to a cgroup during Go execution). #1916

Fixes:

Namespace creation with user namespaces now plays a bit nicer with SELinux and IPC (which had a bug where the in-kernel mqueue mount would have the wrong tag if using unshare(CLONE_NEWUSER|CLONE_NEWIPC)). This is done to avoid future problems with broken kernel integration. #1562

Assets

This is planned to be the final -rc release of runc. While we really haven't followed the rules for release candidates (with huge features introduced each release, and with massive gaps between releases) the hope is that once we've release 1.0.0 we will be much more liberal with releases in future. Let's see how that pans out. :P

Features:

Support cgroups in rootless containers. This is a continuation of the previous work done, and allows for users that have specialised setups (such as having the LXC pam_cg.so module set up) to use cgroups with rootless containers. #1540

Add support for newuidmap and newgidmap with rootless containers. This is a continuation of some previous work, and allows users that have /etc/sub{uid,gid} configured to use the shadow-utils setuid helpers. Note that this support doesn't restrict users that don't want to use setuid binaries at all. #1529

runc will now use a chroot when mount namespaces aren't provided in the config.json. While chroot does have its (many) downsides, this does allow for specialised configurations to work properly. #1702

Expose annotations to hooks, so that the hook can have more direct information about the container it is being run against. #1687

Correctly generate seccomp profiles that place requirements on syscall arguments, as well as multi-argument restrictions. #1616#1424

Prospective patch for remounting of old-root during pivot_root. This is intended to solve one of the many "mount leak" bugs that have been popping up recently -- caused by lots of container churn and host mounts being pinned during container setup. #1500